At least two threat actors are actively attacking unpatched variants of ThemeGrill Demo Importer, Profile Builder, and Duplicator plugins. Hundreds of thousands of WordPress website currently at risk of exploitation because admins have not updated the three plugins. One adversary security researchers call ‘tonyredball’ gets backdoor access to websites that run a vulnerable version of the following two plugins. With this access, the attacker uploads malicious scripts through the plugin and theme uploaders in the WordPress dashboard. The attacker uses multiple variants of the script, which is associated with several filenames, to load another script from an external source.
Source: https://www.bleepingcomputer.com/news/security/multiple-wordpress-plugin-vulnerabilities-actively-being-attacked/